1. Technical Field
The present invention generally relates to secure interoperation between two information processing devices where only one of these devices can handle information in a secure manner. In particular, the present invention relates to a method and a system for securely handling an information unit by a first information processing device, for instance a terminal device, interoperating with a second secure information processing device, for instance a portable device like a chip card, whereby the information unit is provided by an issuer.
2. Prior Art
It is commonly known that chip cards are not only utilized as a memory for storing data on it but also used as an access control medium or a medium to enable and perform encryption and decryption of information. Therefore, from the beginning of development of chip cards, the field of cryptology has played a central or even dominant role. Meanwhile, the scientific results of this development field are inseparably related to chip card technology.
The technical field of cryptology divides into two fields of activity, namely cryptography and cryptoanalysis, The field of cryptography embraces the science and methodology of encryption and decryption of information.
The science of cryptoanalysis addresses to crack existing cryptographic systems.
In the field of chip card technology, another major issue is practicability of the scientific and theoretical aspects of cryptology.
The predominant objective of cryptology is, on the one hand, secrecy of information and, on the other hand, securing or safeguarding the authentication of information. Both objectives are independently of each other and thus have different requirements of the respective information system. ‘Secrecy’ means that only the addressed receiver is able to decrypt the contents of a message. In contrast to that, ‘authenticity’ enables the receiver of the message to secure that the received message has not been altered during transmission.
For the following description of known techniques of data encryption/decryption it is referred to chapter 4 of the “Handbuch der Chipkarten”, W. Rankl, W. Effing, 1996, Hauser Verlag, Munich-Vienna, which contents are regarded to be fully incorporated herein. Each encryption technique uses three types of information. Non-encrypted data are designated as “plain text” wherein encrypted data are designated as “cypher text”. For encryption/decryption one or more keys are required as third type of data. All these types of data are to be processed by an encryption algorithm. Cryptographic algorithms currently used in chip cards are generally block-oriented, which means that the plain text and the cypher text are always processed as packages of a given length, e.g. 8 byte in case of the algorithm used by the decryption/encryption standard (DES) which is discussed in more detail in the following.
It is emphasized hereby that the present invention is applicable to all described fields of cryptography like encryption, decryption, or one-way cryptographic functions like hash values or digital signature verification mechanism. Modern cryptographic algorithms are generally based on the known Kerckhoff principle which says that the entire security of an algorithm shall only depend on secrecy of the underlying keys, but not on secrecy of the cryptography algorithm itself.
Besides Kerckhoff, a further known principle is security through masking which presumes that a fictitious attacker does not know how the system works. But the latter principle is by no means sufficient to secure an information handling system. The security of modern and already published cryptographic algorithms does, in practice, only depend on the performance of the computers used to crack a cryptographic algorithm and thus an alleged additional masking technique of the utilized methodology of cryption one achieves a considerably increased protection against attacks. Otherwise, the rapidly progressing development of computer performance causes a doubling of performance within about one and a half years and thereupon the increasing number of participants of the worldwide computer network, e.g. the WEB, provide a further way to perform serious attacks on cryptographic systems or related keys.
In order to crack a cryptographic algorithm, there are different ways of attacks. A first one is the “cypher text only attack” where the attacker does only know the cypher text and tries to obtain the key or plain text by use of this information. A more promising attack is the so-called “known plain text attack” where the attacker is in the possession of a number of plain-text/cypher-text pairs for a secret key. The secret key can be obtained by trial and error. The most trivial attack is to find out the secret key only through trial and error which is called “brute force attack”. By using a large performance computer, on the basis of a known plain-text/cypher-text pair, all feasible encryption keys are tried until the right one is obtained. The teaching of statistics says that on an average only the half of all possible keys has to be checked in order to find the right one. For that reason, a large space of possible keys renders that kind of attack more difficult.
Cryptographic algorithms are further divided into symmetric and asymmetric algorithms, dependent on the respectively utilized key. ‘Symmetric’ means that algorithm for en- and decryption is using the same key.
In contrast to that, ‘asymmetric’ cryptographic algorithms, like that proposed by Whitfield Deffie and Martin E. Hellman in 1976, are using different keys for encryption and decryption. The two major principles for a well performing encryption algorithm are the principles of ‘confusion’ and ‘diffusion’ after C. Shannon. It is emphasized that both types of algorithms can be taken as a basis for the present invention.
Symmetric cryptographic algorithms are based on the principle of utilizing the same key for both encryption and decryption. A well-known data encryption algorithm called ‘Data Encryption Algorithm’ (DEA) has been proposed by the applicant of the present application together with the U.S. National Bureau of Standards developed in 1977. This standard algorithm is often be referred to as ‘Data Encryption Standard’ (DES). Since that algorithm is designed in consideration of Kerckhoff's dogma, it could be published without any impact on its security. For the details of that algorithm it is further referred to National Institute of Standards and Technology (NIST), FIPS Publication 46-2, “Data Encryption Standard”, December 1993.
The principle of ‘confusion’ means that the statistics of the cypher text shall influence the statistics of the plain text so that an attacker can not take profit by that. The second principle “diffusion” means that every bit of the plain text and of the key shall influence as much bits of the cypher text as possible.
The DEA is a symmetric encryption algorithm using block architecture. It does not perform expansion of the cypher text which means that plain text and cypher text are of identical length. The block length is 64 bit (=8 byte), the key is also 64 bit long but includes 8 parity bits whereby the available space of possible keys is considerably reduced which is in case of DES 256=7.2×1016 possible keys. But in view of the continuously and permanently increasing computer performance such a space of possible keys is regarded as the lower limit for the required security of a cryptographic algorithm.
As an exemplary asymmetric cryptographic algorithm, it is referred to the one proposed by Whitfield Deffie and Martin E. Hellman, published in 1976, which is based on two different keys. One of these keys is public, the other is secret. An information or message is encrypted by using the public key prior to transmission of an information and only the owner of the secret key is enabled to decrypt again the encrypted message. In particular, that principle for the first time enables implementation of a digital signature which in principle can be verified by everyone who is in the possession of the required (public) key. Examplarily, it is referred to a first implementation of the prementioned principle for asymmetric cryptographic algorithms, namely the ‘RSA’ algorithm proposed by Ronald L. Revest, Adi Shamir and Leonard Adleman which is the currently best known and most versatile asymmetric cryptographic algorithm. Its functional principle is based on the arithmetic of big integer numbers. Both keys are generated based on two big prime numbers. Encryption and decryption can be mathematically expressed by a modulo function, namely in case of encryption y=xe mod n, for decryption x=yd mod n with n=p×q wherein x=plain text, y=cypher text, e=public key, d=secret key, n=public modulus and p, q=secret prime numbers.
For the further details of an implementation of the RSA algorithm it is accordingly referred to R. L. Rivest, A. Shamir, and L. M. Adleman “A Method for obtaining Digital Signatures and Public-Key Cryptosystems”, Communications of the ACM, 21(2), pages 120-126, February 1978.
In addition to secrecy of information, another paradigma for encryption algorithms is ‘authenticity’ of a received message of information. As mentioned above, authenticity means that a message is not altered e.g. not manipulated.
For that purpose, to the actual message a message authentication code is appended and both pats are transmitted to the receiver. The receiver is enabled to calculate its own message authentication code (MAC) and compares that code with the received code. In case of both matching, it is secured that the transmitted message has not been altered during transmission. For generating a MAC, a cryptographic algorithm with one secret key which is known to both communication partners is utilized. For the calculation of a MAC in principle every cryptographic algorithm can be used, but in practice, the above mentioned DEA algorithm is utilized nearly exclusively.
A particular scenario for the present invention is a situation where a chip card is inserted in a chip card acceptance device—in the following called “terminal device”—which does not yet have a support module capable of accessing the card or to fulfill a particular function of the chip card on the terminal. Therefore it is required to obtain the missing software component from an other source of information e.g. to download such required module from a central server connected to the internet. It is noted that the terminal device can either be a computer, like a personal computer or network computer with a chip card reader/writer hardware, or a specialized device combining the chip card reader/writer hardware with an embedded computer.
The transmission will often take place over a network that is open to attacks. It is known that the chip card hereby ensures that the software component in the device accessing the chip card shares a secret to the chip card by using mechanisms called external authentication or challenge/response. Further, it is known that a digital signature secures the download of software but the public keys of all potential senders have to be stored on the hard disk of the computer. Therefore, it is necessary that it can be ensured that the software was not altered on its way through the network and that the software was sent by the owner of the public key. But getting the public key for signature verification must also be done in a secure way, before the download is secure. This requires a chain of certification authorities.
On the other hand, an authentication mechanism is needed to verify that the obtained software component is the most recent issued release of that software. Today, the version control os handled by continuously increasing a version number.